terraform: align infrastructure module attributes (#2703)

* all vars have snail_case

* make iam schema consistent

* infrastructure schema

* terraform: update AWS infrastructure module

* fix ci

* terraform: update AWS infrastructure module

* terraform: update AWS IAM module

* terraform: update Azure Infrastructure module inputs

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform: update Azure IAM module

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform: update GCP infrastructure module

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform: update GCP IAM module

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform: update OpenStack Infrastructure module

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform: update QEMU Infrastructure module

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform-module: fix input name

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform: tidy

* cli: ignore whitespace in Terraform variable tests

* terraform-module: fix AWS output names

* terraform-module: fix output references

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform: rename `api_server_cert_sans`

* Update terraform/infrastructure/aws/modules/public_private_subnet/variables.tf

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* fix self-managed

* terraform: revert AWS modules output file renaming

* terraform: remove duplicate varable declaration

* terraform: rename Azure location field

* ci: adjust output name in self-managed e2e test

* e2e: continuously print output in upgrade test

* e2e: write to output variables

* cli: migrate IAM variable names

* cli: make `location` field optional

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

terraform/infrastructure/iam/aws/README.md

@@ -1,24 +0,0 @@
-# IAM instance profiles for AWS
-
-This terraform script creates the necessary profiles that need to be attached to Constellation nodes.
-
-You can create the profiles with the following commands:
-
-```sh
-mkdir constellation_aws_iam
-cd constellation_aws_iam
-curl --remote-name-all https://raw.githubusercontent.com/edgelesssys/constellation/main/hack/terraform/aws/iam/{main,output,variables}.tf
-terraform init
-terraform apply -auto-approve -var name_prefix=my_constellation
-```
-
-You can either get the profile names from the Terraform output values `control_plane_instance_profile` and `worker_nodes_instance_profile` and manually add them to your Constellation configuration file.
-
-Or you can do this with a `yq` command:
-
-```sh
-yq -i "
-  .provider.aws.iamProfileControlPlane = $(terraform output control_plane_instance_profile) |
-  .provider.aws.iamProfileWorkerNodes = $(terraform output worker_nodes_instance_profile)
-  " path/to/constellation-conf.yaml
-```

terraform/infrastructure/iam/aws/main.tf

@@ -7,7 +7,6 @@ terraform {
   }
 }
 
-# Configure the AWS Provider
 provider "aws" {
   region = var.region
 }

terraform/infrastructure/iam/aws/outputs.tf

@@ -1,7 +1,9 @@
-output "control_plane_instance_profile" {
-  value = aws_iam_instance_profile.control_plane_instance_profile.name
+output "iam_instance_profile_name_control_plane" {
+  value       = aws_iam_instance_profile.control_plane_instance_profile.name
+  description = "Name of the control plane's instance profile."
 }
 
-output "worker_nodes_instance_profile" {
-  value = aws_iam_instance_profile.worker_node_instance_profile.name
+output "iam_instance_profile_name_worker_nodes" {
+  value       = aws_iam_instance_profile.worker_node_instance_profile.name
+  description = "Name of the worker nodes' instance profile"
 }

terraform/infrastructure/iam/aws/variables.tf

@@ -1,10 +1,10 @@
 variable "name_prefix" {
   type        = string
-  description = "Prefix for all resources"
+  description = "Name prefix to use on named resources."
 }
 
 variable "region" {
   type        = string
-  description = "AWS region"
+  description = "AWS region."
   default     = "us-east-2"
 }

terraform/infrastructure/iam/azure/README.md

@@ -1,32 +0,0 @@
-# Terraform Azure IAM creation
-
-This terraform configuration creates the necessary Azure resources that need to be available to host a Constellation cluster.
-
-You can create the resources with the following commands:
-
-```sh
-mkdir constellation_azure_iam
-cd constellation_azure_iam
-curl --remote-name-all https://raw.githubusercontent.com/edgelesssys/constellation/main/hack/terraform/azure/iam/{main.tf,output.tf,variables.tf,.terraform.lock.hcl}
-terraform init
-terraform apply
-```
-
-The following terraform output values are available (with their corresponding keys in the Constellation configuration file):
-
-- `subscription_id` (subscription)
-- `tenant_id` (tenant)
-- `uami_id` (userAssignedIdentity)
-
-You can either get the profile names from the Terraform output and manually add them to your Constellation configuration file according to our [Documentation](https://docs.edgeless.systems/constellation/getting-started/first-steps).
-Or you can do this with a `yq` command:
-
-```sh
-yq -i "
-  .provider.azure.subscription = $(terraform output subscription_id) |
-  .provider.azure.tenant = $(terraform output tenant_id) |
-  .provider.azure.userAssignedIdentity = $(terraform output uami_id) |
-  " path/to/constellation-conf.yaml
-```
-
-Where `path/to/constellation-conf.yaml` is the path to your Constellation configuration file.

terraform/infrastructure/iam/azure/main.tf

@@ -28,24 +28,24 @@ provider "azuread" {
 # Access current subscription (available via Azure CLI)
 data "azurerm_subscription" "current" {}
 
-# # Access current AzureAD configuration
+# Access current AzureAD configuration
 data "azuread_client_config" "current" {}
 
 # Create base resource group
 resource "azurerm_resource_group" "base_resource_group" {
   name     = var.resource_group_name
-  location = var.region
+  location = var.location
 }
 
 # Create identity resource group
 resource "azurerm_resource_group" "identity_resource_group" {
   name     = "${var.resource_group_name}-identity"
-  location = var.region
+  location = var.location
 }
 
 # Create managed identity
 resource "azurerm_user_assigned_identity" "identity_uami" {
-  location            = var.region
+  location            = var.location
   name                = var.service_principal_name
   resource_group_name = azurerm_resource_group.identity_resource_group.name
 }

terraform/infrastructure/iam/azure/outputs.tf

@@ -1,16 +1,19 @@
 output "subscription_id" {
-  value = data.azurerm_subscription.current.subscription_id
+  value       = data.azurerm_subscription.current.subscription_id
+  description = "ID of the Azure subscription."
 }
 
 output "tenant_id" {
-  value = data.azurerm_subscription.current.tenant_id
+  value       = data.azurerm_subscription.current.tenant_id
+  description = "ID of the Azure tenant."
 }
 
 output "uami_id" {
-  description = "Outputs the id in the format: /$ID/resourceGroups/$RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$NAME. Not to be confused with the client_id"
   value       = azurerm_user_assigned_identity.identity_uami.id
+  description = "Resource ID of the UAMI in the format: /$ID/resourceGroups/$RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$NAME. Not to be confused with the Client ID of the UAMI."
 }
 
 output "base_resource_group" {
-  value = azurerm_resource_group.base_resource_group.name
+  value       = azurerm_resource_group.base_resource_group.name
+  description = "Name of the resource group."
 }

terraform/infrastructure/iam/azure/variables.tf

@@ -1,14 +1,14 @@
 variable "resource_group_name" {
   type        = string
-  description = "Resource group name"
+  description = "Name for the resource group the cluster should reside in."
 }
 
 variable "service_principal_name" {
   type        = string
-  description = "Service principal name"
+  description = "Name for the service principal used within the cluster."
 }
 
-variable "region" {
+variable "location" {
   type        = string
-  description = "Azure resource location"
+  description = "Azure location the cluster should reside in."
 }

terraform/infrastructure/iam/gcp/README.md

@@ -1,36 +0,0 @@
-# IAM configuration for GCP
-
-This terraform script creates the necessary GCP IAM configuration to be attached to Constellation nodes.
-
-You can create the configuration with the following commands:
-
-```sh
-mkdir constellation_gcp_iam
-cd constellation_gcp_iam
-curl --remote-name-all https://raw.githubusercontent.com/edgelesssys/constellation/main/terraform/infrastructure/iam/gcp/{main.tf,outputs.tf,variables.tf,.terraform.lock.hcl}
-terraform init
-terraform apply
-```
-
-The following terraform output values are available (with their corresponding keys in the Constellation configuration file):
-
-- `sa_key` - **Sensitive Value**
-- `region` (region)
-- `zone` (zone)
-- `project_id` (project)
-
-You can either get the values from the Terraform output and manually add them to your Constellation configuration file according to our [Documentation](https://docs.edgeless.systems/constellation/getting-started/first-steps). (If you add the values manually, you need to base64-decode the `sa_key` value and place it in a JSON file, then specify the path to this file in the Constellation configuration file for the `serviceAccountKeyPath` key.)
-
-Or you can setup the constellation configuration file automaticcaly with the following commands:
-
-```sh
-terraform output sa_key | sed "s/\"//g" | base64 --decode | tee gcpServiceAccountKey.json
-yq -i "
-  .provider.gcp.serviceAccountKeyPath = \"$(realpath gcpServiceAccountKey.json)\" |
-  .provider.gcp.project = $(terraform output project_id) |
-  .provider.gcp.region = $(terraform output region) |
-  .provider.gcp.zone = $(terraform output zone)
-  " path/to/constellation-conf.yaml
-```
-
-Where `path/to/constellation-conf.yaml` is the path to your Constellation configuration file.

terraform/infrastructure/iam/gcp/outputs.tf

@@ -1,4 +1,5 @@
-output "sa_key" {
-  value     = google_service_account_key.service_account_key.private_key
-  sensitive = true
+output "service_account_key" {
+  value       = google_service_account_key.service_account_key.private_key
+  description = "Private key of the service account."
+  sensitive   = true
 }

terraform/infrastructure/iam/gcp/variables.tf

@@ -1,19 +1,19 @@
 variable "project_id" {
   type        = string
-  description = "GCP Project ID"
+  description = "ID of the GCP project the cluster should reside in."
 }
 
 variable "service_account_id" {
   type        = string
-  description = "ID for the service account being created. Must match ^[a-z](?:[-a-z0-9]{4,28}[a-z0-9])$"
+  description = "ID for the service account being created. Must match ^[a-z](?:[-a-z0-9]{4,28}[a-z0-9])$."
 }
 
 variable "region" {
   type        = string
-  description = "Region used for constellation clusters. Needs to have the N2D machine type available."
+  description = "GCP region the cluster should reside in. Needs to have the N2D machine type available."
 }
 
 variable "zone" {
   type        = string
-  description = "Zone used for constellation clusters. Needs to be within the specified region."
+  description = "GCP zone the cluster should reside in. Needs to be within the specified region."
 }